Privacy-Preserving Shortest Path Computa6on David J. Wu, Joe - - PowerPoint PPT Presentation

privacy preserving shortest path computa6on
SMART_READER_LITE
LIVE PREVIEW

Privacy-Preserving Shortest Path Computa6on David J. Wu, Joe - - PowerPoint PPT Presentation

Mar 13, 2024 254 likes •553 views

Privacy-Preserving Shortest Path Computa6on David J. Wu, Joe Zimmerman, Jrmy Planul, and John C. Mitchell Stanford University Naviga6on desired des@na@on current posi@on Naviga6on: A Solved Problem? direc@ons to the Catamaran Resort

slide-1
SLIDE 1

Privacy-Preserving Shortest Path Computa6on

David J. Wu, Joe Zimmerman, Jérémy Planul, and John C. Mitchell Stanford University

slide-2
SLIDE 2

Naviga6on

current posi@on desired des@na@on

slide-3
SLIDE 3

Naviga6on: A Solved Problem?

direc@ons to the Catamaran Resort

Issue: cloud learns where you are and where you are going!

slide-4
SLIDE 4

“Trivial” Solu6on

Give me the en@re map!

slide-5
SLIDE 5

“Trivial” Solu6on

Give me the en@re map!

Pros: lots of privacy (for the client) Cons:

  • rou@ng informa@on

constantly changing

  • map provider doesn’t

want to give away map for “free”

slide-6
SLIDE 6

Private Shortest Paths

San Diego Airport to Catamaran Resort

protocol Client Privacy: server does not learn source or des@na@on Server Privacy: client only learns route from source to des@na@on

slide-7
SLIDE 7

Private Shortest Paths

Model: assume client knows topology of the network (e.g., road network from OpenStreetMap) Weights on edges (e.g., travel @mes) are hidden Client Privacy: Server does not learn client’s source 𝑡 or des@na@on 𝑢 Server Privacy: Client only learns 𝑡→𝑢 shortest path and nothing about weights of other edges not in shortest path

slide-8
SLIDE 8

Straw Man Solu6on

Suppose road network has 𝑜 nodes Construct 𝑜×𝑜 database:

[█​𝑠↓11 &​𝑠↓12 &⋯&​𝑠↓1𝑜 @​𝑠↓21 &​𝑠↓22 &⋯&​𝑠↓2𝑜 @⋮&⋮&⋱&⋮@​𝑠↓𝑜1 &​𝑠↓𝑜2 &⋯&​𝑠↓𝑜𝑜 ]

record ​𝑠↓𝑡𝑢 : shortest path from node 𝑡 to node 𝑢 (e.g., 𝑡→​𝑤↓1 →​𝑤↓2 →𝑢) Shortest Path Protocol: privately retrieve record ​

𝑠↓𝑡𝑢 from database

slide-9
SLIDE 9

Symmetric Private Informa6on Retrieval (SPIR)

cloud database

record 𝑗

SPIR protocol

???

Client Privacy: server does not learn 𝑗 Server Privacy: client only learns record 𝑗

slide-10
SLIDE 10

Finding Structure

Straw man solu@on requires SPIR on databases with ​𝒐↑

𝒐↑𝟑 records –

quadra@c in number of nodes in the graph – rather imprac@cal! Observa8on 1: Nodes in road networks tend to have low (constant) degree

slide-11
SLIDE 11

Finding Structure

Typically, an intersec@on has up to four neighbors (for the four cardinal direc@ons) For each node in the network, associate each neighbor with a direc@on (unique index)

slide-12
SLIDE 12

Finding Structure

Next-hop rou@ng matrix for graph with 𝑜 nodes:

[█​𝑠↓11 &​𝑠↓12 &⋯&​𝑠↓1𝑜 @​𝑠↓21 &​𝑠↓22 &⋯&​𝑠↓2𝑜 @⋮&⋮&⋱&⋮@​𝑠↓𝑜1 &​𝑠↓𝑜2 &⋯&​𝑠↓𝑜𝑜 ] ​𝑠↓𝑡𝑢 : index of neighbor to take

  • n first hop on shortest path

from node 𝑡 to node 𝑢 shortest path protocol: itera@vely retrieve the next hop in shortest path

slide-13
SLIDE 13

Finding Structure

4 1 2 3

Rou@ng from 0 to 4:

  • 1. Query ​𝑠↓04 : North
  • 2. Query ​𝑠↓14 : North
  • 3. Query ​𝑠↓24 : East
  • 4. Query ​𝑠↓34 : East

But same problem as before: SPIR on database with ​𝑜↑2 elements

slide-14
SLIDE 14

Finding Structure

Observa8on 2: Road networks have geometric structure Nodes above hyperplane: first hop is north or east Nodes below hyperplane: first hop is south or west

slide-15
SLIDE 15

Finding Structure

If each node has four neighbors, can specify neighbors with two bits:

  • 1st bit: encode direc@on

along NW/SE axis

  • 2nd bit: encode direc@on

along NE/SW axis

slide-16
SLIDE 16

A Compressible Structure

Let ​𝑁↑(NE) and ​𝑁↑(NW) be next-hop matrices along NE and NW axis (entries in ​𝑁↑(NE) and ​𝑁↑(NW) are bits) Objec8ve: for 𝑗∈{NE,NW}, find matrices ​𝐵↑(𝑗) ,​𝐶↑(𝑗) such that

​𝑁↑(𝑗) =sign(​𝐵↑(𝑗) ⋅​(​𝐶↑(𝑗) )↑𝑈 )

slide-17
SLIDE 17

A Compressible Structure

Objec8ve: for 𝑗∈{NE,NW}, find matrices ​𝐵↑(𝑗) ,​𝐶↑(𝑗) such that

​𝑁↑(𝑗) =sign(​𝐵↑(𝑗) ⋅​(​𝐶↑(𝑗) )↑𝑈 ) 𝐵 ​𝐶↑𝑈 𝑁 ​𝑁↓𝑡𝑢 : direc@on

from 𝑡 on 𝑡→𝑢 shortest path

​𝐵↓𝑡 : ​𝑡↑th row of

“source matrix”

​𝐶↓𝑢 : ​𝑢↑th row of

“des@na@on matrix”

Compu@ng next-hop reduces to compu@ng inner products Index of row in 𝐵 only depend on source, index of row in 𝐶 only depend on des(na(on

slide-18
SLIDE 18

A Compressible Structure

1000 2000 3000 4000 5000 6000 7000 1000 2000 3000 4000 5000 6000 7000 8000 Size of Representa@on (KB) Nodes in Graph Original Representa@on Compressed Representa@on

Over 10x compression!

slide-19
SLIDE 19

An Itera6ve Shortest-Path Protocol

SPIR queries on databases with 𝒐 records Problem: rows and columns

  • f 𝐵,𝐶 reveal more informa@on

than desired To learn next-hop on 𝑡→𝑢 shortest path:

  • 1. Use SPIR to obtain ​𝑡↑th row of ​𝐵↑(NE) and ​𝐵↑(NW)
  • 2. Use SPIR to obtain ​𝑢↑th row of ​𝐶↑(NE) and ​𝐶↑(NW)
  • 3. Compute

​𝑁↓𝑡𝑢↑(NE) =sign⟨​𝐵↓𝑡↑(NE) , ​𝐶↓𝑢↑(NE) ⟩ and ​𝑁↓𝑡𝑢↑(NW) =sign⟨​𝐵↓𝑡↑(NW) ,​𝐶↓𝑢↑(NW) ⟩

slide-20
SLIDE 20

Affine Encodings and Arithme6c Circuits

Goal: Reveal inner product without revealing vectors Idea: Use a “garbled” arithme@c circuit (affine encodings) [AIK14]

  • Encodings reveal output of computa@on (inner product) and

nothing more Solu8on: SPIR on arithme@c circuit encodings

slide-21
SLIDE 21

An Itera6ve Shortest-Path Protocol

To learn next-hop on 𝑡→𝑢 shortest path:

  • 1. Use SPIR to obtain encodings of ​𝑡↑th row of ​𝐵↑(NE) and ​𝐵↑(NW)
  • 2. Use SPIR to obtain encodings of ​𝑢↑th row of ​𝐶↑(NE) and ​𝐶↑(NW)
  • 3. Evaluate inner products ⟨​𝐵↓𝑡↑(NE) , ​𝐶↓𝑢↑(NE) ⟩ and ⟨​𝐵↓𝑡↑(NW) ,​𝐶↓𝑢↑(NW) ⟩
  • 4. Compute ​𝑁↓𝑡𝑢↑(NE) and ​𝑁↓𝑡𝑢↑(NW) (signs of inner products)

Affine encodings hide source and des@na@on matrices, but inner products reveal too much informa@on

slide-22
SLIDE 22

Thresholding via Garbled Circuits

Goal: Reveal only the sign of the inner product Solu8on: Blind inner product and evaluate the sign func@on using a garbled circuit [Yao86, BHR12]

  • Instead of ⟨𝑦,𝑧⟩, compute 𝛽⟨𝑦,𝑧⟩+𝛾 for random 𝛽,𝛾∈​𝔾↓𝑞
  • Use garbled circuit to unblind and compu@ng the sign
slide-23
SLIDE 23

An Itera6ve Shortest-Path Protocol

To learn next-hop on 𝑡→𝑢 shortest path:

  • 1. Use SPIR to obtain encodings of ​𝑡↑th row of ​𝐵↑(NE) and ​𝐵↑(NW)
  • 2. Use SPIR to obtain encodings of ​𝑢↑th row of ​𝐶↑(NE) and ​𝐶↑(NW)
  • 3. Evaluate to obtain blinded inner products ​𝑨↑(NE) and ​𝑨↑(NW)
  • 4. Use garbled circuit to compute ​𝑁↓𝑡𝑢↑(NE) and ​𝑁↓𝑡𝑢↑(NW)

Semi-honest secure! See paper for protec@on against malicious par@es

slide-24
SLIDE 24

Benchmarks

Preprocessed city maps from OpenStreetMap

slide-25
SLIDE 25

Online Benchmarks

City Number of Nodes Time per Round (s) Bandwidth (KB)

San Francisco 1830

1.44±0.16

88.24 Washington D.C. 2490

1.64±0.13

90.00 Dallas 4993

2.91±0.19

95.02 Los Angeles 7010

4.75±0.22

100.54 Timing and bandwidth for each round of the online protocol (with protec@on against malicious clients)

slide-26
SLIDE 26

End-to-End Benchmarks

City Number of Rounds Total Online Time (s) Online Bandwidth (MB) San Francisco 97 140.39 8.38 Washington D.C. 120 197.48 10.57 Dallas 126 371.44 11.72 Los Angeles 165 784.34 16.23 End-to-end performance of private shortest paths protocol (aper padding number of rounds to maximum length of shortest path for each network)

slide-27
SLIDE 27

Conclusions

Problem: privacy-preserving naviga@on Rou@ng informa@on for road networks are compressible!

  • Op@miza@on-based compression technique achieves over 10x

compression of next-hop matrices Compressed rou@ng matrix lends itself to itera@ve shortest-path protocol

  • Compu@ng the shortest path reduces to compu@ng sign of inner

product

  • Leverage combina@on of arithme@c circuits + Boolean circuits
slide-28
SLIDE 28

Ques6ons?